Improving Jitsi Authentication

Product Requests and Ideas
#1

Hello dear Jitsi Community,

I am a developer at Apitech (https://apitech.net/), a company which has been working on Jitsi-based projects for the past 5 years. We now have quite an expertise on Jitsi’s whole ecosystem and we would like to contribute by developing a feature that would benefit a lot of people.

Here’s the idea : today, we can use JWT authentication (thanks to Prosody) for newly created conferences. We would like to add a component, to enhance authentication and open the way to many auth possibilities, without breaking any existing thing. That component would communicate with Jitsi on one side, and with an authentication provider (OIDC, OAuth, SAML, CAS, whatever you like !) on the other side, but would always return a JWT to Jitsi ! It would also allow users to get information from their SSO into Jitsi (nickname, avatar, moderator role, …), using the JWT.

Here’s a graphical explanation of these interactions between components

IMAGE_INTERACTIONS
IMAGE_INTERACTIONS1163×948 23.1 KB

Here’s how it could look like on Jitsi windows

IMAGE_CONF_OPEN
IMAGE_CONF_OPEN1111×576 20.3 KB

IMAGE_CONF_AUTH
IMAGE_CONF_AUTH1111×576 20.4 KB

Here’s what the config.js could look like :

IMAGE_CONFIG
IMAGE_CONFIG760×245 17.4 KB

I’m sharing that post with you to have your thoughts on a feature like that, but also your ideas and improvements. It’s not a “regular” feature request, as we are ready to do that implementation ourselves, if enough people are interested.

The idea is to make this component as open as possible, to allow people to add their authentication methods. Of course, we would have to develop something that can also works for mobile clients.

Thanks in advance for your thoughts and support ! :slightly_smiling_face:

6 Likes
[jitsi-dev] Jitsi Meet and OpenID Connect Authentication
#2

Good stuff!

I think we have the initial bits in already, but it’s not a code path which is very visible or tested. There is an (sadly) undocumented setting called tokenAuthUrl which will open a window to authenticate with a service and then get back a JWT.

So your service would need to implement the multiple auth flows and just return a JWT Jitsi likes.

AFAIK KeyCloak can do this already with some glue: GitHub - d3473r/jitsi-keycloak: Login to jitsi with keycloak https://hub.docker.com/r/d3473r/jitsi-keycloak

Now, this doesn’t work on mobile, for example, so we could definitely use some help there!

4 Likes
#3

Nice. Great stuff, thanks.

I’m also working on adding authentication via blockchain and DIDs, not just the classic centralized services

1 Like
#4

Looking forward the extra buzzword compliance :stuck_out_tongue:

3 Likes
#5

This looks very interesting and seems like a great idea!

I get a lot of questions from people about integrated authentication and often come up with “yes, you and me both” :slight_smile:

Any news/progress on this?